1

When I was tracing a piece of assembly program, I encountered an instruction "CALL DWORD PTR CS:[<&KERNEL32.GetPrivateProfileIntA>] with opcode 2E:FF15 84244100! Now I'm interested to know:

  1. Though the opcode relevent to Call instruction is EA , why is the opcode mentioned as above used instead?

  2. What does 2E: preceding the FF15 refer to?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Farshid
  • 21
  • 4
  • The `2E` is `cs` segment register prefix. The `FF15...` opcode is `call DWORD PTR ds:0x412484`, because `ds` is default segment register for this instruction, when not specified, and the `2E` `cs` prefix will modify that into `call DWORD PTR cs:0x412484`. ... why didn't you read the instruction guide instead of asking here? Will you ask for every new instruction you will encounter? – Ped7g Apr 24 '18 at 06:40

1 Answers1

3

2e is the CS segment override.

FF /2 is call r/m32. The destination of the call is in the memory operand. (i.e. it loads a new EIP from memory). Without the CS prefix, it would have used the DS segment's base/limit for that addressing mode.

(EA is far jump so I think you meant E8 which is the opcode for the usual call rel32.)

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
prl
  • 11,716
  • 2
  • 13
  • 31
  • thank you.but I guess you mean "DS override"?? As I understood this instruction works with DS as default. – Farshid Apr 24 '18 at 06:58
  • DS is the default segment. The CS segment override says to use CS instead. – prl Apr 24 '18 at 07:02